aboutsummaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorKurt Roeckx <kurt@roeckx.be>2015-12-05 02:04:41 +0100
committerKurt Roeckx <kurt@roeckx.be>2015-12-05 17:45:59 +0100
commit361a1191279d5a801fa6cfe22d51ef17d6ab38ea (patch)
treee530e75d67f1de7d0b4aa4a42050f435937ad104 /ssl
parentfe6ef2472db933f01b59cad82aa925736935984b (diff)
downloadopenssl-361a1191279d5a801fa6cfe22d51ef17d6ab38ea.tar.gz
Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org> MR: #364
Diffstat (limited to 'ssl')
-rw-r--r--ssl/s3_enc.c36
-rw-r--r--ssl/s3_lib.c700
-rw-r--r--ssl/ssl_cert.c11
-rw-r--r--ssl/ssl_ciph.c77
-rw-r--r--ssl/ssl_err.c10
-rw-r--r--ssl/ssl_lib.c115
-rw-r--r--ssl/ssl_locl.h81
-rw-r--r--ssl/statem/statem_clnt.c177
-rw-r--r--ssl/statem/statem_srvr.c87
-rw-r--r--ssl/t1_enc.c42
10 files changed, 284 insertions, 1052 deletions
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 850f76d12d..31c89182e7 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -197,18 +197,16 @@ int ssl3_change_cipher_state(SSL *s, int which)
unsigned char *p, *mac_secret;
unsigned char exp_key[EVP_MAX_KEY_LENGTH];
unsigned char exp_iv[EVP_MAX_IV_LENGTH];
- unsigned char *ms, *key, *iv, *er1, *er2;
+ unsigned char *ms, *key, *iv;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
#ifndef OPENSSL_NO_COMP
COMP_METHOD *comp;
#endif
const EVP_MD *m;
- EVP_MD_CTX md;
- int is_exp, n, i, j, k, cl;
+ int n, i, j, k, cl;
int reuse_dd = 0;
- is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c = s->s3->tmp.new_sym_enc;
m = s->s3->tmp.new_hash;
/* m == NULL will lead to a crash later */
@@ -295,9 +293,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (i < 0)
goto err2;
cl = EVP_CIPHER_key_length(c);
- j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
- cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
- /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
+ j = cl;
k = EVP_CIPHER_iv_length(c);
if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
(which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
@@ -307,8 +303,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
n += j + j;
iv = &(p[n]);
n += k + k;
- er1 = &(s->s3->client_random[0]);
- er2 = &(s->s3->server_random[0]);
} else {
n = i;
ms = &(p[n]);
@@ -317,8 +311,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
n += j + k;
iv = &(p[n]);
n += k;
- er1 = &(s->s3->server_random[0]);
- er2 = &(s->s3->client_random[0]);
}
if (n > s->s3->tmp.key_block_length) {
@@ -326,28 +318,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
goto err2;
}
- EVP_MD_CTX_init(&md);
memcpy(mac_secret, ms, i);
- if (is_exp) {
- /*
- * In here I set both the read and write key/iv to the same value
- * since only the correct one will be used :-).
- */
- EVP_DigestInit_ex(&md, EVP_md5(), NULL);
- EVP_DigestUpdate(&md, key, j);
- EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
- EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
- key = &(exp_key[0]);
-
- if (k > 0) {
- EVP_DigestInit_ex(&md, EVP_md5(), NULL);
- EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
- EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
- iv = &(exp_iv[0]);
- }
- }
EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
@@ -370,7 +341,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
OPENSSL_cleanse(exp_key, sizeof(exp_key));
OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
- EVP_MD_CTX_cleanup(&md);
return (1);
err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index d89cdfabab..24cf5f0322 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -173,7 +173,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -189,28 +189,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
-/* Cipher 03 */
- {
- 1,
- SSL3_TXT_RSA_RC4_40_MD5,
- SSL3_CK_RSA_RC4_40_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 04 */
{
1,
@@ -221,7 +205,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -237,28 +221,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
-/* Cipher 06 */
- {
- 1,
- SSL3_TXT_RSA_RC2_40_MD5,
- SSL3_CK_RSA_RC2_40_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC2,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
{
@@ -270,29 +238,13 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_IDEA,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
#endif
-/* Cipher 08 */
- {
- 1,
- SSL3_TXT_RSA_DES_40_CBC_SHA,
- SSL3_CK_RSA_DES_40_CBC_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 09 */
{
1,
@@ -303,7 +255,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -319,29 +271,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
-/* The DH ciphers */
-/* Cipher 0B */
- {
- 0,
- SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
- SSL3_CK_DH_DSS_DES_40_CBC_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 0C */
{
1,
@@ -352,7 +287,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -368,28 +303,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
-/* Cipher 0E */
- {
- 0,
- SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
- SSL3_CK_DH_RSA_DES_40_CBC_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 0F */
{
1,
@@ -400,7 +319,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -416,29 +335,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
-/* The Ephemeral DH ciphers */
-/* Cipher 11 */
- {
- 1,
- SSL3_TXT_DHE_DSS_DES_40_CBC_SHA,
- SSL3_CK_DHE_DSS_DES_40_CBC_SHA,
- SSL_kDHE,
- SSL_aDSS,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 12 */
{
1,
@@ -449,7 +351,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -465,28 +367,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
-/* Cipher 14 */
- {
- 1,
- SSL3_TXT_DHE_RSA_DES_40_CBC_SHA,
- SSL3_CK_DHE_RSA_DES_40_CBC_SHA,
- SSL_kDHE,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 15 */
{
1,
@@ -497,7 +383,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -513,28 +399,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
-/* Cipher 17 */
- {
- 1,
- SSL3_TXT_ADH_RC4_40_MD5,
- SSL3_CK_ADH_RC4_40_MD5,
- SSL_kDHE,
- SSL_aNULL,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 18 */
{
1,
@@ -545,28 +415,12 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
-/* Cipher 19 */
- {
- 1,
- SSL3_TXT_ADH_DES_40_CBC_SHA,
- SSL3_CK_ADH_DES_40_CBC_SHA,
- SSL_kDHE,
- SSL_aNULL,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 1A */
{
1,
@@ -577,7 +431,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -593,7 +447,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -609,7 +463,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -624,7 +478,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -639,7 +493,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -657,7 +511,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -672,7 +526,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -687,7 +541,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -702,7 +556,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -717,7 +571,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -732,7 +586,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -748,7 +602,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -763,7 +617,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -779,7 +633,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -795,7 +649,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -811,7 +665,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -827,7 +681,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -844,7 +698,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -860,7 +714,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -876,7 +730,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -892,7 +746,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -908,7 +762,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -924,7 +778,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -943,7 +797,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -959,7 +813,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -975,7 +829,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -991,7 +845,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1007,7 +861,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1023,7 +877,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1041,7 +895,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1057,7 +911,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1073,7 +927,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1089,7 +943,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1105,7 +959,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1121,7 +975,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1137,7 +991,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1154,7 +1008,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eGOST2814789CNT,
SSL_GOST89MAC,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256
@@ -1168,7 +1022,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_GOST94,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
0,
0
@@ -1187,7 +1041,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1202,7 +1056,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1218,7 +1072,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1234,7 +1088,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1250,7 +1104,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1266,7 +1120,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1285,7 +1139,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1301,7 +1155,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1317,7 +1171,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1333,7 +1187,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1349,7 +1203,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1365,7 +1219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1381,7 +1235,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1397,7 +1251,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1413,7 +1267,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1429,7 +1283,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -1445,7 +1299,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1461,7 +1315,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1481,7 +1335,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1497,7 +1351,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1513,7 +1367,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1529,7 +1383,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1545,7 +1399,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1561,7 +1415,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1581,7 +1435,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1597,7 +1451,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1613,7 +1467,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1629,7 +1483,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1645,7 +1499,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1661,7 +1515,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1677,7 +1531,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1693,7 +1547,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1709,7 +1563,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1725,7 +1579,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1741,7 +1595,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1757,7 +1611,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1775,7 +1629,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1791,7 +1645,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1807,7 +1661,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1823,7 +1677,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1839,7 +1693,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -1855,7 +1709,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1871,7 +1725,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1887,7 +1741,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1903,7 +1757,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1919,7 +1773,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -1935,7 +1789,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1951,7 +1805,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -1967,7 +1821,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -1983,7 +1837,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -1999,7 +1853,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2015,7 +1869,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2031,7 +1885,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2047,7 +1901,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -2067,7 +1921,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2083,7 +1937,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2099,7 +1953,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2115,7 +1969,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2131,7 +1985,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2147,7 +2001,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2163,7 +2017,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -2179,7 +2033,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -2195,7 +2049,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -2211,7 +2065,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -2227,7 +2081,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -2243,7 +2097,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -2278,7 +2132,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2294,7 +2148,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2310,7 +2164,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2326,7 +2180,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2342,7 +2196,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2358,7 +2212,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2374,7 +2228,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2390,7 +2244,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2406,7 +2260,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2422,7 +2276,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2438,7 +2292,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2454,7 +2308,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2470,7 +2324,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2486,7 +2340,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2502,7 +2356,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2518,7 +2372,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2534,7 +2388,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2550,7 +2404,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2566,7 +2420,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2582,7 +2436,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2598,7 +2452,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -2614,7 +2468,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2630,7 +2484,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2646,7 +2500,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2662,7 +2516,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2680,7 +2534,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2696,7 +2550,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2712,7 +2566,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2728,7 +2582,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2744,7 +2598,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2760,7 +2614,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2776,7 +2630,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2792,7 +2646,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2808,7 +2662,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -2828,7 +2682,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2844,7 +2698,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2860,7 +2714,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2876,7 +2730,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2892,7 +2746,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2908,7 +2762,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2924,7 +2778,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2940,7 +2794,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2958,7 +2812,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2974,7 +2828,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2990,7 +2844,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3006,7 +2860,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -3022,7 +2876,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3038,7 +2892,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -3054,7 +2908,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3070,7 +2924,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -3087,7 +2941,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -3103,7 +2957,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -3119,7 +2973,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -3135,7 +2989,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -3151,7 +3005,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -3167,7 +3021,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -3183,7 +3037,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -3199,7 +3053,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
@@ -3215,7 +3069,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_STRONG_NONE | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
@@ -3231,7 +3085,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
@@ -3245,7 +3099,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3259,7 +3113,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
@@ -3273,7 +3127,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3287,7 +3141,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
@@ -3301,7 +3155,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3315,7 +3169,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
@@ -3329,7 +3183,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3346,7 +3200,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128},
@@ -3360,7 +3214,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3374,7 +3228,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128},
@@ -3388,7 +3242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3402,7 +3256,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128},
@@ -3416,7 +3270,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3430,7 +3284,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128},
@@ -3444,7 +3298,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
@@ -3460,7 +3314,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3476,7 +3330,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3492,7 +3346,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3508,7 +3362,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3524,7 +3378,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3540,7 +3394,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3556,7 +3410,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3572,7 +3426,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3588,7 +3442,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3604,7 +3458,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3620,7 +3474,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3636,7 +3490,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3652,7 +3506,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3668,7 +3522,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3684,7 +3538,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3700,7 +3554,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3716,7 +3570,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3732,7 +3586,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3748,7 +3602,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -3764,7 +3618,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256CCM8,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -3779,7 +3633,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eGOST2814789CNT12,
SSL_GOST89MAC12,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256},
@@ -3792,7 +3646,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_eNULL,
SSL_GOST12_256,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_STRONG_NONE,
+ SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256,
0,
0},
@@ -3884,9 +3738,6 @@ void ssl3_free(SSL *s)
ssl3_cleanup_key_block(s);
-#ifndef OPENSSL_NO_RSA
- RSA_free(s->s3->peer_rsa_tmp);
-#endif
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
DH_free(s->s3->peer_dh_tmp);
@@ -3923,11 +3774,6 @@ void ssl3_clear(SSL *s)
OPENSSL_free(s->s3->tmp.peer_sigalgs);
s->s3->tmp.peer_sigalgs = NULL;
-#ifndef OPENSSL_NO_RSA
- RSA_free(s->s3->peer_rsa_tmp);
- s->s3->peer_rsa_tmp = NULL;
-#endif
-
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
@@ -4001,36 +3847,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_FLAGS:
ret = (int)(s->s3->flags);
break;
-#ifndef OPENSSL_NO_RSA
- case SSL_CTRL_NEED_TMP_RSA:
- if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
- ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
- (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) >
- (512 / 8))))
- ret = 1;
- break;
- case SSL_CTRL_SET_TMP_RSA:
- {
- RSA *rsa = (RSA *)parg;
- if (rsa == NULL) {
- SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
- return (ret);
- }
- if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) {
- SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
- return (ret);
- }
- RSA_free(s->cert->rsa_tmp);
- s->cert->rsa_tmp = rsa;
- ret = 1;
- }
- break;
- case SSL_CTRL_SET_TMP_RSA_CB:
- {
- SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return (ret);
- }
-#endif
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
@@ -4320,17 +4136,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
else {
EVP_PKEY *ptmp;
int rv = 0;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
- if (!s->s3->peer_rsa_tmp && !s->s3->peer_dh_tmp && !s->s3->peer_ecdh_tmp)
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+ if (!s->s3->peer_dh_tmp && !s->s3->peer_ecdh_tmp)
return 0;
#endif
ptmp = EVP_PKEY_new();
if (ptmp == NULL)
return 0;
-#ifndef OPENSSL_NO_RSA
- else if (s->s3->peer_rsa_tmp)
- rv = EVP_PKEY_set1_RSA(ptmp, s->s3->peer_rsa_tmp);
-#endif
#ifndef OPENSSL_NO_DH
else if (s->s3->peer_dh_tmp)
rv = EVP_PKEY_set1_DH(ptmp, s->s3->peer_dh_tmp);
@@ -4396,13 +4208,6 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
int ret = 0;
switch (cmd) {
-#ifndef OPENSSL_NO_RSA
- case SSL_CTRL_SET_TMP_RSA_CB:
- {
- s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
- }
- break;
-#endif
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
@@ -4433,46 +4238,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
cert = ctx->cert;
switch (cmd) {
-#ifndef OPENSSL_NO_RSA
- case SSL_CTRL_NEED_TMP_RSA:
- if ((cert->rsa_tmp == NULL) &&
- ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
- (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) >
- (512 / 8)))
- )
- return (1);
- else
- return (0);
- /* break; */
- case SSL_CTRL_SET_TMP_RSA:
- {
- RSA *rsa;
- int i;
-
- rsa = (RSA *)parg;
- i = 1;
- if (rsa == NULL)
- i = 0;
- else {
- if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
- i = 0;
- }
- if (!i) {
- SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_RSA_LIB);
- return (0);
- } else {
- RSA_free(cert->rsa_tmp);
- cert->rsa_tmp = rsa;
- return (1);
- }
- }
- /* break; */
- case SSL_CTRL_SET_TMP_RSA_CB:
- {
- SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return (0);
- }
-#endif
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
@@ -4687,13 +4452,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
cert = ctx->cert;
switch (cmd) {
-#ifndef OPENSSL_NO_RSA
- case SSL_CTRL_SET_TMP_RSA_CB:
- {
- cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
- }
- break;
-#endif
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
@@ -4783,7 +4541,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok;
- unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
+ unsigned long alg_k, alg_a, mask_k, mask_a;
/* Let's see which ciphers we can support */
@@ -4836,14 +4594,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ssl_set_masks(s, c);
mask_k = s->s3->tmp.mask_k;
mask_a = s->s3->tmp.mask_a;
- emask_k = s->s3->tmp.export_mask_k;
- emask_a = s->s3->tmp.export_mask_a;
#ifndef OPENSSL_NO_SRP
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
mask_k |= SSL_kSRP;
- emask_k |= SSL_kSRP;
mask_a |= SSL_aSRP;
- emask_a |= SSL_aSRP;
}
#endif
@@ -4856,19 +4610,11 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
continue;
#endif /* OPENSSL_NO_PSK */
- if (SSL_C_IS_EXPORT(c)) {
- ok = (alg_k & emask_k) && (alg_a & emask_a);
+ ok = (alg_k & mask_k) && (alg_a & mask_a);
#ifdef CIPHER_DEBUG
- fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",
- ok, alg_k, alg_a, emask_k, emask_a, (void *)c, c->name);
+ fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
+ alg_a, mask_k, mask_a, (void *)c, c->name);
#endif
- } else {
- ok = (alg_k & mask_k) && (alg_a & mask_a);
-#ifdef CIPHER_DEBUG
- fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
- alg_a, mask_k, mask_a, (void *)c, c->name);
-#endif
- }
# ifndef OPENSSL_NO_EC
/*
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0153b18f46..80dc409478 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -195,14 +195,6 @@ CERT *ssl_cert_dup(CERT *cert)
ret->references = 1;
ret->key = &ret->pkeys[cert->key - cert->pkeys];
-#ifndef OPENSSL_NO_RSA
- if (cert->rsa_tmp != NULL) {
- RSA_up_ref(cert->rsa_tmp);
- ret->rsa_tmp = cert->rsa_tmp;
- }
- ret->rsa_tmp_cb = cert->rsa_tmp_cb;
-#endif
-
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL) {
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
@@ -377,9 +369,6 @@ void ssl_cert_free(CERT *c)
}
#endif
-#ifndef OPENSSL_NO_RSA
- RSA_free(c->rsa_tmp);
-#endif
#ifndef OPENSSL_NO_DH
DH_free(c->dh_tmp);
#endif
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d2139e1248..69a0cc8984 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -399,13 +399,7 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, "TLSv1.0", 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
- /* export flag */
- {0, SSL_TXT_EXP, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0},
- {0, SSL_TXT_EXPORT, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0},
-
/* strength classes */
- {0, SSL_TXT_EXP40, 0, 0, 0, 0, 0, 0, SSL_EXP40, 0, 0, 0},
- {0, SSL_TXT_EXP56, 0, 0, 0, 0, 0, 0, SSL_EXP56, 0, 0, 0},
{0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0},
{0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0},
{0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0},
@@ -413,24 +407,12 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0},
/* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
- {0, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 0,
- SSL_kDHE, SSL_aDSS, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_EXPORT | SSL_EXP40,
- 0, 0, 0,},
- {0, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 0,
- SSL_kDHE, SSL_aDSS, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP | SSL_LOW,
- 0, 0, 0,},
{0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 0,
SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, 0, 0, 0,},
- {0, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 0,
- SSL_kDHE, SSL_aRSA, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_EXPORT | SSL_EXP40,
- 0, 0, 0,},
- {0, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 0,
- SSL_kDHE, SSL_aRSA, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP | SSL_LOW,
- 0, 0, 0,},
+ SSL_HIGH | SSL_FIPS, 0, 0, 0,},
{0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 0,
SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, 0, 0, 0,},
+ SSL_HIGH | SSL_FIPS, 0, 0, 0,},
};
@@ -982,11 +964,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
continue;
if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
continue;
- if ((algo_strength & SSL_EXP_MASK)
- && !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
- continue;
- if ((algo_strength & SSL_STRONG_MASK)
- && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
+ if (algo_strength && !(algo_strength & cp->algo_strength))
continue;
if ((algo_strength & SSL_DEFAULT_MASK)
&& !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
@@ -1249,31 +1227,15 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
alg_mac = ca_list[j]->algorithm_mac;
}
- if (ca_list[j]->algo_strength & SSL_EXP_MASK) {
- if (algo_strength & SSL_EXP_MASK) {
- algo_strength &=
- (ca_list[j]->algo_strength & SSL_EXP_MASK) |
- ~SSL_EXP_MASK;
- if (!(algo_strength & SSL_EXP_MASK)) {
- found = 0;
- break;
- }
- } else
- algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
- }
-
- if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
- if (algo_strength & SSL_STRONG_MASK) {
- algo_strength &=
- (ca_list[j]->algo_strength & SSL_STRONG_MASK) |
- ~SSL_STRONG_MASK;
- if (!(algo_strength & SSL_STRONG_MASK)) {
+ if (ca_list[j]->algo_strength) {
+ if (algo_strength) {
+ algo_strength &= ca_list[j]->algo_strength;
+ if (!algo_strength) {
found = 0;
break;
}
} else
- algo_strength |=
- ca_list[j]->algo_strength & SSL_STRONG_MASK;
+ algo_strength = ca_list[j]->algo_strength;
}
if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
@@ -1625,12 +1587,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
{
- int is_export, pkl, kl;
- const char *ver, *exp_str;
+ const char *ver;
const char *kx, *au, *enc, *mac;
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
static const char *format =
- "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
+ "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
alg_mkey = cipher->algorithm_mkey;
alg_auth = cipher->algorithm_auth;
@@ -1638,11 +1599,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
alg_mac = cipher->algorithm_mac;
alg_ssl = cipher->algorithm_ssl;
- is_export = SSL_C_IS_EXPORT(cipher);
- pkl = SSL_C_EXPORT_PKEYLENGTH(cipher);
- kl = SSL_C_EXPORT_KEYLENGTH(cipher);
- exp_str = is_export ? " export" : "";
-
if (alg_ssl & SSL_SSLV3)
ver = "SSLv3";
else if (alg_ssl & SSL_TLSV1)
@@ -1654,7 +1610,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
switch (alg_mkey) {
case SSL_kRSA:
- kx = is_export ? (pkl == 512 ? "RSA(512)" : "RSA(1024)") : "RSA";
+ kx = "RSA";
break;
case SSL_kDHr:
kx = "DH/RSA";
@@ -1663,7 +1619,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
kx = "DH/DSS";
break;
case SSL_kDHE:
- kx = is_export ? (pkl == 512 ? "DH(512)" : "DH(1024)") : "DH";
+ kx = "DH";
break;
case SSL_kECDHr:
kx = "ECDH/RSA";
@@ -1735,16 +1691,16 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
switch (alg_enc) {
case SSL_DES:
- enc = (is_export && kl == 5) ? "DES(40)" : "DES(56)";
+ enc = "DES(56)";
break;
case SSL_3DES:
enc = "3DES(168)";
break;
case SSL_RC4:
- enc = is_export ? (kl == 5 ? "RC4(40)" : "RC4(56)") : "RC4(128)";
+ enc = "RC4(128)";
break;
case SSL_RC2:
- enc = is_export ? (kl == 5 ? "RC2(40)" : "RC2(56)") : "RC2(128)";
+ enc = "RC2(128)";
break;
case SSL_IDEA:
enc = "IDEA(128)";
@@ -1834,8 +1790,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
} else if (len < 128)
return ("Buffer too small");
- BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac,
- exp_str);
+ BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);
return (buf);
}
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 1ecb91bfb7..b5940284af 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -517,8 +517,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"empty srtp protection profile list"},
{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
"encrypted length too long"},
- {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),
- "error generating tmp rsa key"},
{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
"error in received cipher list"},
{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"},
@@ -559,10 +557,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"},
{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),
"missing ecdsa signing cert"},
- {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),
- "missing export tmp dh key"},
- {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),
- "missing export tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),
"missing rsa encrypting cert"},
@@ -570,8 +564,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_SRP_PARAM), "can't find SRP server param"},
{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY), "missing tmp ecdh key"},
- {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY), "missing tmp rsa key"},
- {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY), "missing tmp rsa pkey"},
{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE), "missing verify message"},
{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS), "multiple sgc restarts"},
{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"},
@@ -705,8 +697,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
"tlsv1 alert decrypt error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
- "tlsv1 alert export restriction"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
"tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ea2acce96a..d51c6b7850 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2004,65 +2004,44 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
CERT_PKEY *cpk;
CERT *c = s->cert;
uint32_t *pvalid = s->s3->tmp.valid_flags;
- int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
- int rsa_enc_export, dh_rsa_export, dh_dsa_export;
- int rsa_tmp_export, dh_tmp_export, kl;
- unsigned long mask_k, mask_a, emask_k, emask_a;
+ int rsa_enc, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
+ unsigned long mask_k, mask_a;
#ifndef OPENSSL_NO_EC
- int have_ecc_cert, ecdsa_ok, ecc_pkey_size;
+ int have_ecc_cert, ecdsa_ok;
int ecdh_ok;
X509 *x = NULL;
- EVP_PKEY *ecc_pkey = NULL;
int pk_nid = 0, md_nid = 0;
#endif
if (c == NULL)
return;
- kl = SSL_C_EXPORT_PKEYLENGTH(cipher);
-
-#ifndef OPENSSL_NO_RSA
- rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
- rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
- (rsa_tmp && RSA_size(c->rsa_tmp) * 8 <= kl));
-#else
- rsa_tmp = rsa_tmp_export = 0;
-#endif
#ifndef OPENSSL_NO_DH
dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
- dh_tmp_export = !c->dh_tmp_auto && (c->dh_tmp_cb != NULL ||
- (dh_tmp
- && DH_size(c->dh_tmp) * 8 <= kl));
#else
- dh_tmp = dh_tmp_export = 0;
+ dh_tmp = 0;
#endif
cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
- rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID;
- dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID;
- dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_ECC]);
#ifndef OPENSSL_NO_EC
have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
#endif
mask_k = 0;
mask_a = 0;
- emask_k = 0;
- emask_a = 0;
#ifdef CIPHER_DEBUG
fprintf(stderr,
- "rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
- rsa_tmp, rsa_tmp_export, dh_tmp, rsa_enc,
- rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
+ "dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+ dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
#endif
#ifndef OPENSSL_NO_GOST
@@ -2083,42 +2062,30 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
}
#endif
- if (rsa_enc || (rsa_tmp && rsa_sign))
+ if (rsa_enc)
mask_k |= SSL_kRSA;
- if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
- emask_k |= SSL_kRSA;
-
- if (dh_tmp_export)
- emask_k |= SSL_kDHE;
if (dh_tmp)
mask_k |= SSL_kDHE;
if (dh_rsa)
mask_k |= SSL_kDHr;
- if (dh_rsa_export)
- emask_k |= SSL_kDHr;
if (dh_dsa)
mask_k |= SSL_kDHd;
- if (dh_dsa_export)
- emask_k |= SSL_kDHd;
if (mask_k & (SSL_kDHr | SSL_kDHd))
mask_a |= SSL_aDH;
if (rsa_enc || rsa_sign) {
mask_a |= SSL_aRSA;
- emask_a |= SSL_aRSA;
}
if (dsa_sign) {
mask_a |= SSL_aDSS;
- emask_a |= SSL_aDSS;
}
mask_a |= SSL_aNULL;
- emask_a |= SSL_aNULL;
/*
* An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
@@ -2134,47 +2101,32 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0;
- ecc_pkey = X509_get_pubkey(x);
- ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
- EVP_PKEY_free(ecc_pkey);
OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (ecdh_ok) {
if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
mask_k |= SSL_kECDHr;
mask_a |= SSL_aECDH;
- if (ecc_pkey_size <= 163) {
- emask_k |= SSL_kECDHr;
- emask_a |= SSL_aECDH;
- }
}
if (pk_nid == NID_X9_62_id_ecPublicKey) {
mask_k |= SSL_kECDHe;
mask_a |= SSL_aECDH;
- if (ecc_pkey_size <= 163) {
- emask_k |= SSL_kECDHe;
- emask_a |= SSL_aECDH;
- }
}
}
if (ecdsa_ok) {
mask_a |= SSL_aECDSA;
- emask_a |= SSL_aECDSA;
}
}
#endif
#ifndef OPENSSL_NO_EC
mask_k |= SSL_kECDHE;
- emask_k |= SSL_kECDHE;
#endif
#ifndef OPENSSL_NO_PSK
mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
- emask_k |= SSL_kPSK;
- emask_a |= SSL_aPSK;
if (mask_k & SSL_kRSA)
mask_k |= SSL_kRSAPSK;
if (mask_k & SSL_kDHE)
@@ -2185,8 +2137,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
s->s3->tmp.mask_k = mask_k;
s->s3->tmp.mask_a = mask_a;
- s->s3->tmp.export_mask_k = emask_k;
- s->s3->tmp.export_mask_a = emask_a;
}
#ifndef OPENSSL_NO_EC
@@ -2194,8 +2144,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
{
unsigned long alg_k, alg_a;
- EVP_PKEY *pkey = NULL;
- int keysize = 0;
int md_nid = 0, pk_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
uint32_t ex_kusage = X509_get_key_usage(x);
@@ -2203,17 +2151,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
- if (SSL_C_IS_EXPORT(cs)) {
- /* ECDH key length in export ciphers must be <= 163 bits */
- pkey = X509_get_pubkey(x);
- if (pkey == NULL)
- return 0;
- keysize = EVP_PKEY_bits(pkey);
- EVP_PKEY_free(pkey);
- if (keysize > 163)
- return 0;
- }
-
OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
@@ -3079,44 +3016,6 @@ int SSL_want(const SSL *s)
}
/**
- * \brief Set the callback for generating temporary RSA keys.
- * \param ctx the SSL context.
- * \param cb the callback
- */
-
-#ifndef OPENSSL_NO_RSA
-void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb) (SSL *ssl,
- int is_export,
- int keylength))
-{
- SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
-}
-
-void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb) (SSL *ssl,
- int is_export,
- int keylength))
-{
- SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
-}
-#endif
-
-#ifdef DOXYGEN
-/**
- * \brief The RSA temporary key callback function.
- * \param ssl the SSL session.
- * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
- * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
- * of the required key in bits.
- * \return the temporary RSA key.
- * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
- */
-
-RSA *cb(SSL *ssl, int is_export, int keylength)
-{
-}
-#endif
-
-/**
* \brief Set the callback for generating temporary DH keys.
* \param ctx the SSL context.
* \param dh the callback
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c1ae1c00ff..34091d3aa6 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -438,68 +438,16 @@
*/
# define TLS1_STREAM_MAC 0x10000
-/*
- * Export and cipher strength information. For each cipher we have to decide
- * whether it is exportable or not. This information is likely to change
- * over time, since the export control rules are no static technical issue.
- *
- * Independent of the export flag the cipher strength is sorted into classes.
- * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
- * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
- * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
- * since SSL_EXP64 could be similar to SSL_LOW.
- * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
- * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
- * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
- * be possible.
- */
-# define SSL_EXP_MASK 0x00000003U
-# define SSL_STRONG_MASK 0x000001fcU
-# define SSL_DEFAULT_MASK 0X00000200U
-
-# define SSL_NOT_EXP 0x00000001U
-# define SSL_EXPORT 0x00000002U
-
-# define SSL_STRONG_NONE 0x00000004U
-# define SSL_EXP40 0x00000008U
-# define SSL_MICRO (SSL_EXP40)
-# define SSL_EXP56 0x00000010U
-# define SSL_MINI (SSL_EXP56)
-# define SSL_LOW 0x00000020U
-# define SSL_MEDIUM 0x00000040U
-# define SSL_HIGH 0x00000080U
-# define SSL_FIPS 0x00000100U
-
-# define SSL_NOT_DEFAULT 0x00000200U
+# define SSL_DEFAULT_MASK 0X00000020U
-/* we have used 000003ff - 22 bits left to go */
+# define SSL_STRONG_NONE 0x00000001U
+# define SSL_LOW 0x00000002U
+# define SSL_MEDIUM 0x00000004U
+# define SSL_HIGH 0x00000008U
+# define SSL_FIPS 0x00000010U
+# define SSL_NOT_DEFAULT 0x00000020U
-/*-
- * Macros to check the export status and cipher strength for export ciphers.
- * Even though the macros for EXPORT and EXPORT40/56 have similar names,
- * their meaning is different:
- * *_EXPORT macros check the 'exportable' status.
- * *_EXPORT40/56 macros are used to check whether a certain cipher strength
- * is given.
- * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
- * algorithm structure element to be passed (algorithms, algo_strength) and no
- * typechecking can be done as they are all of type unsigned long, their
- * direct usage is discouraged.
- * Use the SSL_C_* macros instead.
- */
-# define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
-# define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
-# define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
-# define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
-# define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
-# define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
-
-# define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
- (a) == SSL_DES ? 8 : 7)
-# define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
-# define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
- (c)->algo_strength)
-# define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
+/* we have used 0000003f - 26 bits left to go */
/* Check if an SSL structure is using DTLS */
# define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
@@ -550,8 +498,7 @@
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
/*-
- * SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
- * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
+ * SSL_kRSA <- RSA_ENC
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
* SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
* SSL_aRSA <- RSA_ENC | RSA_SIGN
@@ -1300,7 +1247,6 @@ typedef struct ssl3_state_st {
int ctype_num;
char ctype[SSL3_CT_NUMBER];
STACK_OF(X509_NAME) *ca_names;
- int use_rsa_tmp;
int key_block_length;
unsigned char *key_block;
const EVP_CIPHER *new_sym_enc;
@@ -1349,8 +1295,6 @@ typedef struct ssl3_state_st {
*/
uint32_t mask_k;
uint32_t mask_a;
- uint32_t export_mask_k;
- uint32_t export_mask_a;
/* Client only */
uint32_t mask_ssl;
} tmp;
@@ -1392,9 +1336,6 @@ typedef struct ssl3_state_st {
# endif /* !OPENSSL_NO_EC */
/* For clients: peer temporary key */
-# ifndef OPENSSL_NO_RSA
- RSA *peer_rsa_tmp;
-# endif
# ifndef OPENSSL_NO_DH
DH *peer_dh_tmp;
# endif
@@ -1559,10 +1500,6 @@ typedef struct cert_st {
* an index, not a pointer.
*/
CERT_PKEY *key;
-# ifndef OPENSSL_NO_RSA
- RSA *rsa_tmp;
- RSA *(*rsa_tmp_cb) (SSL *ssl, int is_export, int keysize);
-# endif
# ifndef OPENSSL_NO_DH
DH *dh_tmp;
DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b49f4984b3..9ac992197f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -211,30 +211,6 @@ static int key_exchange_expected(SSL *s)
return 1;
}
- /*
- * Export ciphersuites may have temporary RSA keys if the public key in the
- * server certificate is longer than the maximum export strength
- */
- if ((alg_k & SSL_kRSA) && SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
- EVP_PKEY *pkey;
-
- pkey = X509_get_pubkey(s->session->peer);
- if (pkey == NULL)
- return -1;
-
- /*
- * If the public key in the certificate is shorter than or equal to the
- * maximum export strength then a temporary RSA key is not allowed
- */
- if (EVP_PKEY_bits(pkey)
- <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
- return 0;
-
- EVP_PKEY_free(pkey);
-
- return 1;
- }
-
return 0;
}
@@ -1622,10 +1598,6 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
save_param_start = *pkt;
-#ifndef OPENSSL_NO_RSA
- RSA_free(s->s3->peer_rsa_tmp);
- s->s3->peer_rsa_tmp = NULL;
-#endif
#ifndef OPENSSL_NO_DH
DH_free(s->s3->peer_dh_tmp);
s->s3->peer_dh_tmp = NULL;
@@ -1709,51 +1681,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
/* We must check if there is a certificate */
if (alg_a & (SSL_aRSA|SSL_aDSS))
pkey = X509_get_pubkey(s->session->peer);
- } else
-#endif /* !OPENSSL_NO_SRP */
-#ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA) {
- PACKET mod, exp;
- /* Temporary RSA keys only allowed in export ciphersuites */
- if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
- al = SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
- goto f_err;
- }
-
- if (!PACKET_get_length_prefixed_2(pkt, &mod)
- || !PACKET_get_length_prefixed_2(pkt, &exp)) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
-
- if ((rsa = RSA_new()) == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- if ((rsa->n = BN_bin2bn(PACKET_data(&mod), PACKET_remaining(&mod),
- rsa->n)) == NULL
- || (rsa->e = BN_bin2bn(PACKET_data(&exp), PACKET_remaining(&exp),
- rsa->e)) == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
- goto err;
- }
-
- /* this should be because we are using an export cipher */
- if (alg_a & SSL_aRSA)
- pkey = X509_get_pubkey(s->session->peer);
- else {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- s->s3->peer_rsa_tmp = rsa;
- rsa = NULL;
}
-#else /* OPENSSL_NO_RSA */
- if (0) ;
-#endif
+#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_DH
else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
PACKET prime, generator, pub_key;
@@ -1850,14 +1779,6 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
group = EC_KEY_get0_group(ecdh);
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- (EC_GROUP_get_degree(group) > 163)) {
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
- SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
- goto f_err;
- }
-
/* Next, get the encoded ECPoint */
if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
((bn_ctx = BN_CTX_new()) == NULL)) {
@@ -2445,20 +2366,16 @@ psk_err:
goto err;
}
- if (s->s3->peer_rsa_tmp != NULL)
- rsa = s->s3->peer_rsa_tmp;
- else {
- pkey = X509_get_pubkey(s->session->peer);
- if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
- || (pkey->pkey.rsa == NULL)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- EVP_PKEY_free(pkey);
- goto err;
- }
- rsa = pkey->pkey.rsa;
+ pkey = X509_get_pubkey(s->session->peer);
+ if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
+ || (pkey->pkey.rsa == NULL)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
EVP_PKEY_free(pkey);
+ goto err;
}
+ rsa = pkey->pkey.rsa;
+ EVP_PKEY_free(pkey);
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
@@ -3178,10 +3095,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
int i, idx;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
- int pkey_bits;
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
-#endif
#ifndef OPENSSL_NO_DH
DH *dh;
#endif
@@ -3193,9 +3106,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
/* we don't have a certificate */
if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
return (1);
-#ifndef OPENSSL_NO_RSA
- rsa = s->s3->peer_rsa_tmp;
-#endif
#ifndef OPENSSL_NO_DH
dh = s->s3->peer_dh_tmp;
#endif
@@ -3222,7 +3132,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
pkey = X509_get_pubkey(s->session->peer);
- pkey_bits = EVP_PKEY_bits(pkey);
i = X509_certificate_type(s->session->peer, pkey);
EVP_PKEY_free(pkey);
@@ -3240,27 +3149,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
#ifndef OPENSSL_NO_RSA
- if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
- if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_RSA_ENCRYPTING_CERT);
- goto f_err;
- } else if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
- if (pkey_bits <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- if (!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_RSA_ENCRYPTING_CERT);
- goto f_err;
- }
- if (rsa != NULL) {
- /* server key exchange is not allowed. */
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- }
- }
+ if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
+ !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+ SSL_R_MISSING_RSA_ENCRYPTING_CERT);
+ goto f_err;
}
#endif
#ifndef OPENSSL_NO_DH
@@ -3284,48 +3177,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
# endif
#endif
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
-#ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA) {
- if (rsa == NULL) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
- goto f_err;
- } else if (RSA_bits(rsa) >
- SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- /* We have a temporary RSA key but it's too large. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
- goto f_err;
- }
- } else
-#endif
-#ifndef OPENSSL_NO_DH
- if (alg_k & SSL_kDHE) {
- if (DH_bits(dh) >
- SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- /* We have a temporary DH key but it's too large. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_DH_KEY);
- goto f_err;
- }
- } else if (alg_k & (SSL_kDHr | SSL_kDHd)) {
- /* The cert should have had an export DH key. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_DH_KEY);
- goto f_err;
- } else
-#endif
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
- goto f_err;
- }
- }
return (1);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d4668b23b9..a39e288bda 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -315,7 +315,7 @@ static int send_server_key_exchange(SSL *s)
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/*
- * only send a ServerKeyExchange if DH, fortezza or RSA but we have a
+ * only send a ServerKeyExchange if DH or fortezza but we have a
* sign only certificate PSK: may send PSK identity hints For
* ECC ciphersuites, we send a serverKeyExchange message only if
* the cipher suite is either ECDH-anon or ECDHE. In other cases,
@@ -324,15 +324,6 @@ static int send_server_key_exchange(SSL *s)
*/
if ( (alg_k & SSL_kDHE)
|| (alg_k & SSL_kECDHE)
- || ((alg_k & SSL_kRSA)
- && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
- && EVP_PKEY_size(s->cert->pkeys
- [SSL_PKEY_RSA_ENC].privatekey) *
- 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
- )
- )
- )
/*
* PSK: send ServerKeyExchange if PSK identity hint if
* provided
@@ -1723,9 +1714,6 @@ int tls_construct_server_done(SSL *s)
int tls_construct_server_key_exchange(SSL *s)
{
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
-#endif
#ifndef OPENSSL_NO_DH
DH *dh = NULL, *dhp;
#endif
@@ -1769,35 +1757,6 @@ int tls_construct_server_key_exchange(SSL *s)
if (type & (SSL_kPSK | SSL_kRSAPSK)) {
} else
#endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_RSA
- if (type & SSL_kRSA) {
- rsa = cert->rsa_tmp;
- if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
- rsa = s->cert->rsa_tmp_cb(s,
- SSL_C_IS_EXPORT(s->s3->
- tmp.new_cipher),
- SSL_C_EXPORT_PKEYLENGTH(s->s3->
- tmp.new_cipher));
- if (rsa == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
- goto f_err;
- }
- RSA_up_ref(rsa);
- cert->rsa_tmp = rsa;
- }
- if (rsa == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_RSA_KEY);
- goto f_err;
- }
- r[0] = rsa->n;
- r[1] = rsa->e;
- s->s3->tmp.use_rsa_tmp = 1;
- } else
-#endif
#ifndef OPENSSL_NO_DH
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
if (s->cert->dh_tmp_auto) {
@@ -1811,11 +1770,7 @@ int tls_construct_server_key_exchange(SSL *s)
} else
dhp = cert->dh_tmp;
if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
- dhp = s->cert->dh_tmp_cb(s,
- SSL_C_IS_EXPORT(s->s3->
- tmp.new_cipher),
- SSL_C_EXPORT_PKEYLENGTH(s->s3->
- tmp.new_cipher));
+ dhp = s->cert->dh_tmp_cb(s, 0, 1024);
if (dhp == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
@@ -1903,13 +1858,6 @@ int tls_construct_server_key_exchange(SSL *s)
goto err;
}
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- (EC_GROUP_get_degree(group) > 163)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
- goto err;
- }
-
/*
* XXX: For now, we only support ephemeral ECDH keys over named
* (not generic) curves. For supported named curves, curve_id is
@@ -2316,30 +2264,15 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
size_t j;
/* FIX THIS UP EAY EAY EAY EAY */
- if (s->s3->tmp.use_rsa_tmp) {
- if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
- rsa = s->cert->rsa_tmp;
- /*
- * Don't do a callback because rsa_tmp should be sent already
- */
- if (rsa == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_RSA_PKEY);
- goto f_err;
-
- }
- } else {
- pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
- if ((pkey == NULL) ||
- (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_RSA_CERTIFICATE);
- goto f_err;
- }
- rsa = pkey->pkey.rsa;
+ pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
+ if ((pkey == NULL) ||
+ (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+ SSL_R_MISSING_RSA_CERTIFICATE);
+ goto f_err;
}
+ rsa = pkey->pkey.rsa;
/* SSLv3 and pre-standard DTLS omit the length bytes. */
if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index ae1d36c71e..ccf933e90a 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -294,15 +294,12 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
int tls1_change_cipher_state(SSL *s, int which)
{
- static const unsigned char empty[] = "";
unsigned char *p, *mac_secret;
- unsigned char *exp_label;
unsigned char tmp1[EVP_MAX_KEY_LENGTH];
unsigned char tmp2[EVP_MAX_KEY_LENGTH];
unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
unsigned char *ms, *key, *iv;
- int client_write;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
#ifndef OPENSSL_NO_COMP
@@ -313,10 +310,9 @@ int tls1_change_cipher_state(SSL *s, int which)
int *mac_secret_size;
EVP_MD_CTX *mac_ctx;
EVP_PKEY *mac_key;
- int is_export, n, i, j, k, exp_label_len, cl;
+ int n, i, j, k, cl;
int reuse_dd = 0;
- is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c = s->s3->tmp.new_sym_enc;
m = s->s3->tmp.new_hash;
mac_type = s->s3->tmp.new_mac_pkey_type;
@@ -413,8 +409,7 @@ int tls1_change_cipher_state(SSL *s, int which)
i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;
cl = EVP_CIPHER_key_length(c);
- j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
- cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+ j = cl;
/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
/* If GCM/CCM mode only part of IV comes from PRF */
if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
@@ -431,9 +426,6 @@ int tls1_change_cipher_state(SSL *s, int which)
n += j + j;
iv = &(p[n]);
n += k + k;
- exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
- exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
- client_write = 1;
} else {
n = i;
ms = &(p[n]);
@@ -442,9 +434,6 @@ int tls1_change_cipher_state(SSL *s, int which)
n += j + k;
iv = &(p[n]);
n += k;
- exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
- exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
- client_write = 0;
}
if (n > s->s3->tmp.key_block_length) {
@@ -473,33 +462,6 @@ int tls1_change_cipher_state(SSL *s, int which)
printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
}
#endif
- if (is_export) {
- /*
- * In here I set both the read and write key/iv to the same value
- * since only the correct one will be used :-).
- */
- if (!tls1_PRF(s,
- exp_label, exp_label_len,
- s->s3->client_random, SSL3_RANDOM_SIZE,
- s->s3->server_random, SSL3_RANDOM_SIZE,
- NULL, 0, NULL, 0,
- key, j, tmp1, tmp2, EVP_CIPHER_key_length(c)))
- goto err2;
- key = tmp1;
-
- if (k > 0) {
- if (!tls1_PRF(s,
- TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
- s->s3->client_random, SSL3_RANDOM_SIZE,
- s->s3->server_random, SSL3_RANDOM_SIZE,
- NULL, 0, NULL, 0, empty, 0, iv1, iv2, k * 2))
- goto err2;
- if (client_write)
- iv = iv1;
- else
- iv = &(iv1[k]);
- }
- }
if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-23 08:33:16 +0000